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(54) Shopping system * 

(57) A shopping system for safely communicating 
shopping data among information processors has first 
to third information proceseors (1, 2, 3). The first infor- 
mation processor (1 ) has a first storage unit (1 3) for stor- 
ing an address to which ordering data is to be transmit- 
ted and a second storage unit (1 1 ) for storing electronic 
money and transmits ordering data in accordance with 
an order. The second information processor (2) re- 
sponds to the ordereng data to issue a payment address 
and invoice data (51 ) obtained by digitally signing an in- 
voice. The first infor m ation processor responds to the 
jnvoice data to transmit an amount of electronic mone y 
corresponding to the order to the payment address^ The 
third infomfiatbn pr ocessor (3) responds to reception of 
the electronic money to issue a receipt (53) digitally 
signed by a private ke y The first information processor 
transmits the digitally signed receipt received from the 
third information processor to the second informatkan 
processor. The first information processor can digitally 
sign the invoice data digitally signed by the second in- 
formation processor to transmit it to the third infornnatk)n 
processor. The third information processor checks tw o 
signatures on the received Invoice data of one is signe d 
by th sec ^ntf 'nf^rmgtlQn prQceeeor anri ^ft fyj^ftp 
sign&d by^the firgt jr ifonrn atio n processo r. Th first Infor- 
mation proc ssor transmits a request f or re paying the 
electronic nxyiey transmitted to th' th'irdlhformatio ri 
processor in accordance with th order to the secon d 



information processo r, t he second information proce s- 
sor transmits repayment permit data including (teta f or 
specifying a repaying apparatus, an amount of ifl fy pd 
and data for specifying a refund r ft^Q*tf*»fi ap|¥imtVf fit 
ter diflltally slyiing the repayment permit data bv a o rl- 
vate_ kev^ and the first Information processor respond s 

'tn ^hft fllo^^niff mnq^y ffffpffof' *" with t^fl 

re payrne rit requ est to transmit a repayment receipt o b- 
tained by digitally signinqdata Including tdentifkation. of 
Jie repayment permit data by a private key from the se c- 
orKi information processor to the third hformation proc- 
essor 



FIG. 5 
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Descrlptl n 

The pr sent invention relates to a shopping system 
f r safely carrying out transactions by utilizing electronic 
money on a communicatjon network. 

US patent No. 5,440,634 and Secure Electronic 
Transaction (SET) Specification; June 17, 1996 teach 
an electronic value transfer system and cashless trans- 
action, and digital signatures. 

Today, a system for doing shopping by using an 
open network such as an intemet has come to the front 
In existing systems, a retail shop offers goods infomrta- 
tion to a consumer through a world-wide web (WWW) 
server, and the cor^umer selects goods desired to be 
purchased by watching the goods information at a 
WWW browser and gives an order Principally, a method 
of using a credit card and a method of using electronic 
money are employed for payment. 

In intemet shopping, security matters. Since any- 
one can access the intemet with ease, there Is a possi- 
bility that information is eavesdropped and altered by a 
third person. Also, there is a possibility that a third per- 
son impersonate an authorized user to carry out trans- 
actions. Further, there is a possibility that a person con- 
cerned who participates in transactions substitutes da- 
ta, denies the contents of transactions and runs away 
with the money. 

To oope with the problems as above, the axisthg 
system utilizes encryption of data, digital signatures and 
a certificate authority. For encryption of data, such meth- 
ods as data encryption standard (DES) and RSA are 
available. 

The digital signature is used as a technique for pre- 
venting substitution of data, specifying a planner of data 
and authenticating a communication partner The digital 
signature is data encrypted by calculating a Hash value 
of the data to be signed and applying asymmetric key 
cryptography algorithm represented by RSAtottie Haab 
value. As algorithm for calculation of the Hash value, 
SHA-1 and MDS are used. For verifying the validity of 
the digital signature, data decrypted by using the other 
encryption key paired with the encryptbn key used 
when the digital signature is prepared is compared with 
a Hash value of original data when the digital signature 
is prepared and it is checked whether one coincides with 
the other Typically, the digital signature together with its 
original data is transferred to a conrvnunicatkin partner 

In a shopping system and an electronic money sys- 
tem conforming to the existing open network, encryption 
and digital signature are utilized to prevent eavesdrop- 
ping and alteration of data during communicatbn. In the 
case of transactk>n protocol presupposing credit card 
payment in SET, only th processing of giving an order 
t a retail shop and the processing of obtaining approval 
of a card company are carried out through the open net- 
wori( but the proc ssing for paynrtent is carried out 
through a banking organ networic. In this case, an in- 
voic certifying the contents of transactions is mailed to 
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a card owner and completkxi of payment can be evi 
denced by a withdrawal record from a bank account. Ac 
cordingly, in the SET, data conceming invoice and re 
ceipt is not handled. 

— " When transactions are carried out by utilizing elec 
tronk: money on the open network, alt processings in- 
cluding the payment process are essentially executed 
on the open network. Therefore, electronk: data whch 
can objectively certify the contents of transactk)ns and 
the completksn of payment must be presented during 
transactions through the communicatbn network. It| 
matters that the data is rewritten by a third person in the 
course of communk»tkxi and the data is rewritten by a 
person concerned who receives the data or a recipient 
his or her discretion. J 
Further, in a system in which an informatkxn proc- 
essor for giving an order or a client, an inf ormatk>n proc- 
essor for receiving or managing the order or an ordering 
management server and an ihformatk}n processor for 
receiving and managing the nrKMiey or a payment server 
are connected to a communication network, when a 
third organ enjoying confidence is agential for executkxi 
of payment, ordering infonmatk>n and payment informa- 
tion must be transferred between the informatksn proc- 
essors without being substituted and when any troubles 
are raised lateron. the contents of ordering and the com- 
pletion of payment must be confirmed by causing a par- 
son participating in the transadkxis to offer the ordering 
hfonmatbn and the payment information and it must be 
certified that the data is not substituted. 

Further, not only when goods is purchased but also 
I when goods are returned or transactions are canceled. 
I the nfKxiey cg yst be repakj s afely to a purchaser by using 
/ electronb money througlh the oommuncation network. 
3sl tnthiscase, unauthorized receptkxi of a refundbyathird 
I person must be prevented. 

An object of the present inventk>n is to provide a 
system and a method whk;h can provide a person par- 
ticipating in transactkxts with data for certifying the con- 
tents of transactkxis and the state of payment on a com- 
municatbn network when shopping is carried out on the 
communk:atk>n network by using electrons money. 

Another object of the present lnventk>n is to provkie 
a system and a method which can avod any troubles in 
transactions among an information processor for order- 
ing, an informatk)n processor for receivktg and manag- 
ing an order and an information processor for receiving 
and managing the money which are connected to a net- 
work. 

Still another object of the present invent on is to pro-"^ 

/vide a system and a method which can repay a refund 
/ to an authorized purchaser by preventing the refund 
I from being tapped by an unauthorized third p rson 
when the money of retumed goods or an amount of 
ssj money excessively paki in advance is r paid to th pur- 
/ chaser by using electronbmon yonthecommunicatkxi 

(^network. 

According to one aspect of the present invention, a 
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shopping system for communicating shopping data 
comprises: 

a first information processor adapted to transmit or- 
dering data in accordance with an order and having 
a first storage unit for storing an address to which 
the ordering data is to be transmitted and a second 
storage unit for storing electronic money; 
a second information processor connected to the 
first information processor through a network and 
being responsive to the ordering data to issue a 
payment address corresponding to the order and 
invoice data obtained by digitally signing an invoice, 
the first information processor being operative to re- 
spond to the invoice data to transmit an amount of 
electronic nrKxioy corresponding to the order to the 
payment address; and 

a third information processor connected to the first 
ar>d second information processors through the net- 
work and being responsive to reception of the 
amount of electronic nKsney to issue a recent dig- 
itally signed by a private key, the first information 
processor being operative to transmit to the secorid 
infonnation processor the digitally signed receipt re- 
ceived from the third information processor. 

The first information processor can digitally sign the 
invoce data digitally signed by the secorKJ information 
processor to transmit it to the third infornnation proces- 
sor, and the third informatbn processor can check (ver- 
ify) two signatures on the received invoice data of whk:h 
one is signed by the second informatkxi processor and 
the other is signed by the first information processor. 

The second informatkyi processor can check (ver- 
ify) whether the signature on the receipt received from 
the first informatk)n processor coincktos with the pay- 
ment addrese affixed to the invoice data. 

The first informatk>n processor can transmit a re- 
quest for repaying the electronic money transmitted to 
the third tnfonmatk>n processor in accordaru^e with the 
order to the second information processor, the second 
informatton processor can transmit repaynrtent permit 
data including data for specifying a repaying apparatus, 
an anrK)unt of refund and data for specifying a refund 
receiving apparatus afterdigitally signing the repayment 
permit data by a private key, and the first information 
processor can respond to the electronic money remitted 
in accordance with the repayment request to transmit 
the repayment receipt digitally signed by the private key 
on data including klentificatbn of the payment permit 
data by means of the second informatk>n processor to 
the third information processor. 

Thes cond infornnation processor can use id ntifi- 
cation data included in certificate data digitally signed 
by a c rtifrcate authority, in order to specify the first in- 
fonmation processor or the user thereof. 

According to another aspect of the pres nt inven- 
tion, an inf ormatbn processor connected to a shopping 
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system for communicating shopping data comprises; 

a controller for transmitting ordering data in accord- 
ance with an order; 

a first storage unit for storing an address to whch 
the order data e to be transmitted; and 
a second storage unit for storing electronk: money, 
wherein the controller responds to a payment ad- 
dress issued in ^»x>rdance with the ordering data 
and corresponding to the order and invoice data ob- 
tained by digitally signing an invoke to transmit an 
amount of electronk: money con'esponding to the 
order to the repayment address and transmits a 
copy of a receipt issued in accordance with the 
amount of electronb money and digitally signe^Jz^ 
aprivat§ 



According to stilt another aspect of the present in- 
ventk>n, an information processor connected to a shop- 
20 ping system for communicating shopping data compris- 



es: 



a control unit responsive to received ordering data 
to issue a repayment address corresponding to the 

25 order arxl invokre data obtained by digitally signing 
» an invoice; and 

a communicatkm unit for receiving a receipt, 
wherein the control unit checks (verifies) whether a 
signature on the received receipt coinckles with the 

30 paynnent address affixed to the invoce data. 

According to still another aspect of the present in- 
ventkxi, an information processor connected to a shop- 
ping system for communicating shewing data compris- 
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I acontrot unit responsive to receptk)n of an anmunt 
I of electronk: money corresponding to an order to 
I issue a receipt digitally signed by a private key; and 
/ a communk»tion unit for communicating invobe 
I data and receipt data, 

I wherein the control unit checks (verifies) the signa- 
Iture on the received invobe data. 
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In the drawings 
Fig. 1 is a block diagram showing the overall con- 
struction of the present invention. 

Fig. 2 is a bkxk diagram showing the constructbn 
of a client. 

^ Fig. 3 is a bkxk diagram showing the constructkxi 
of an ordering management server. 

Fig. 4 is a bk)ck diagram showing the constructkxi 
of an electron^ money payment s rver. 

Fig. 5 is a flow chart showing flow messages, in- 
ss voice data and receipt data in the purchase process. 

Fig. 6 is a diagram showing a data structure of the 
invoice data. 

Fig. 7 is a diagram showing a data structure of th 
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receipt data. 

Fig. 8 is a flow chart sh wing the process by the 
client tn th purchase process. 

Fig. 9 is a flow chart showing the process by the 
ordering management server in the purchase process. 

Fig. 10 is a flow chart showing the process by the 
electronic money payment sender in the purchase proc- 
ess. 

Fig. His a diagram showing an ordering data struc* 
ture stored in a storage unit of the ordering management 
server. 

Fig. 1 2 is a diagram showing an ordering data struc- 
ture stored in a storage unit of the ordering management 
server. 

Fig. 1 3 is a diagram showing a payn>ent data struc- 
ture stored in a storage unit of the electronic moneypay- 
ment server. 

Fig. 14 is a diagram showing a client screen on 
which ordering data is displayed. 

Fig. 15 is a diagram showing a client screen on 
which invoice data Is displayed. 

Fig. 16 is a diagram showing a client screen on 
which receipt data \s displayed. 

Fig. 17 Is a flow chart showing messages, repay- 
ment permit data and repayment receipt data in the re- 
payment process. 

Fig. 1 6 is a diagram showing a data structure of the 
repayment permit data. 

Fig. 1 9 is a diagram showing a data structure of the 
repayment receipt data. 

Fig. 20 Is a flow chart showing the process by the 
client in the repayment process. 

Fig. 21 is a flow chart showing the process by the 
ordering nianagement server in the repayment process. 

Fig. 22 is a flow chart showing the process by the 
ordering management sender In the repayment process. 

Fig. 23 is a flow chart showing the process by the 
electronic money payment server in the repayment 
process. 

Fig. 24 Is a diagram showing a client screen on 
which repayment request data is displayed. 

Fig. 25 is a diagram showing a client screen on 
which the repayment permit data Is displayed. 

An embodiment of an on-line shopping system ac- 
cording to the present invention will be described here- 
under with reference to the accorrtpanying drawings. 

Fig. 1 shows, in block diagram form, the overall con- 
struction of the system of the present invention which is 
connected to a computer network 4 and a certi ficate au- 
thority 8. An information processor 1 gives an order for 
goods and sennce and is called a clien t, an information 
processor 2 accepts and manages the order and is 
ce lled an ordering mariag ment^erver, and an informa- 
tion proc ssor 3 accepts and manages the money and 
is called an Jectronicjnoi^^ The com- 

puter network 4 interconnects the information proces- 
sors 1 to 3 and is typically exemplified by an internet. 

The client 1 is constructed as shown, in block dia- 



gram form, in Fig. 2. An electronic money storage unit 
11 stores electrons nrwney and may be realized with ei- 
ther an IC m mory, such.as an IC card (also called a 
smart card) or an IC memory with hardware bgic, or an- 
5 other external memory device such as a harddisc. A 
communrcatton unit 12 communk:ates with another in- 
formation processor and is used to transmit and receive 
electronc money, orderrig (teita, invoice data and re- 
ceipt data. A storage unit 1 3 stores programs and van- 
10 ous kinds of data as welt as a private key for affixing a 
digital signature. A display unit 1 4 displays the ordering 
data, the invoice data and receipt data. An input unit 15 
inputs, for example, the ordering data. A control unit 16 
is for controlling programs running in the informatkxi 
IS processor land is adapted to prepare and verify digital 
signatures and control input and output, communk:atk)n 
and the executkxi sequence explained later. 

The ordering nrtanagement server 2 is constructed 
as shown, in block diagram form, in Fig. 3. A storag e 
20 unl tgl stores progranris. order data and customer da ta 
wall a prh/ate kev used for afRxinq a digital slcma- 
tur e. A communication unit 22 communtoates with a n- 
"offfer in formation processor and is adapted to trans mit 
angreceive oraering data invoice data and receipt da ta 
2S An input unit 23 inputs various Kinds oT oata, ano a dis- 
play unit 24 disptays various kinds of data. The input unit 
23 and the display unit 24 may be omitted . Acorrtrol u nit 
25 controls programs njnning ri themanagemem serv er 
and is ad apted to prepgrfl qnd Y*?ri^^ digitHi «ifirvitunfta 
30 arid con M input aiid output, communtoatbn and the ex- 
ecHli^s^aufiace. 

The electronic money payment server 3 is con- 
staicted as shown, in block diagram form, in Fig. 4. An_. 
electronc money st orage unit 31 stores electronjc m<^ ' 
3S ey"anO I'l ^tf tlw e fgronjc moneystoraq e unit 11. it is 
rQaOzedw^^ 

age unit. A communicatk>n unit 32 oommunk:ates with 
anomerinformation processor and is adapted to trans- 
mit and receive electronic money, invoidis data and re- 
40 ceipt data. A storage unit 33 stores programs and vari- 
ous kinds of data as well as a private key for affixing a 
digital signature. An input unit 35 inputs various kinds 
of data and a display unit 34 disptays various kinds of 
data. The display unit 34 and the input unit 35 may be 
45 omitted. The control unit 36 controls programs running 
in the payment server 3. 

The embodiment of the present inventbn will now 
be described by way of two examples of purchasing 
goods or sen/ice (a purchase process) or repaying 
so goods or.servce (a repayment process) in the on-line 
shopping system of the present invention. 

(a) Purchase of goods or sendee (purchase process) 

^ Fig. 5 is a flow chart showing flow of nrrassages. in- 
voice data 51 and receipt data 53 in the purchase proc- 
ess. Messages 1 10 to 220 are each transmitted and r - 
ceived between the information processors. The invoice 
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data 51 is described with 'M' which Indicates that the 
inv ice data 51 is digitally signed by t he ordering man- 
aaennent server 2 . A m ney receipt requesi message 
is described with a digital signature 52 affixed by 
the client 1. The receipt data 53 is described with 'P' 
which indicates that the receipt data 53 is digitally signed 
by the electronic money payment server 3. The digital 
signature 'C designated by reference numeral 52 and 
described on different invoice data 51 indicates that the 
invoice data 51 is digitally signed by the client 1 . 

Fig. 6 shows a data stmcture of the invoice data 51 
and Fig. 7 shows a data stmcture of the receipt data 53. 
Data items illustrated in the figures are mere examples 
and other data items may be used. The digital signature 
is obtained by calculating a Hash value of data to be 
signed and encrypting the Hash value by a private key. 
The Hash function used for calcutatrig the Hash value 
is represented by algorithm such as SHA-1 and MDS. 
An asymmetric key cryptography algorithm such as 
RSA (elliptk: curve cryptography) is used for the method 
for encryption by the private key. For verifteation of the 
digital signatur e, ft is checked whether data obtained b y 
dec6dfal9 the digrtal sjinatureba^rto 
trre private Key coinda erwitfTdata obtained by cate u- 
jating a Hashvalue of plai ntext data to be signed. A dig- 2S 
italsigjature bb Is Obta ined by encrypting a Hash ^lue^ 
of databiock 54 by a jrivate key owned by the ordering 
r nanagemenl serverg . A dioitai sionature^ETTslStein ed 
by encryptin g a Ha sh value ctf data b kx;k 57b y a priy gte 
key ownedt^ the electr<x)ic money p ayment se ryer^. * 

^e procl^irig procedure by the client 1 is shown 
in a flow chart of Fig. 8, the processing procedure by the 
orderhg management server 2 is shown in a flow chart 
of Fig. 9 and the processing procedure by the electronk: 
money payment server 3 is shown in a fk>w chart of Fig. 3S 
10. 

Ordering data pieces 61 and 62 stored in the stor- 
age unit 21 of the ordering management server 2 are 
shown in Figs. 1 1 and 1 2. Payment data 63 stored in the 
storage unit 33 of the electronk; money payment sender 
3 is shown in Fig. 13. 

Referring now to Figs. 5,8, 9 and 10, the processing 
procedure of the purchase process will be described. 

In the folbwing description, the term *authentk:a- 
tion" meanscertjfyiri fltfiat a recipient in now communi- 
catiorTcoincides witha recipient with whorrian oiigk lutur 
iralwmiOT:ommOfiicaTo,'"an^^ 
autfientlf!^^ 

and arTidentlftflrOThe o wner of the public ke y antfWigh 
js digiBnyiSgneaiby t^ certificate authority. 

A user designates, on the display screen of the cli- 
ent 1. goods/servk^e andthenumberthereof from goods 
informatbn sent from the sender 2 to the client 1 and 
designates ordering data f rc^ th electronk: money and 
credit (the bank account may further be added), and the 
desigr^ted goods/sen/ice, the nunrtber thereof and the 
ordering data are inputted to the client 1 . 

ordering data is inputted to th client 1 
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(step 310), the client makes a request (step 320) t the 
ordering management server for a message 110 having 
a certificate for authentification (including a pubtk: key) 
of the ordering management server. When receiving the 
message 110 (step 510). the ordering management 
server prepares a response message 1 20 includffig the 
certificate for authentificatkxi (inclusive of the public 
key) of the ordering management server, digitally signs 
the whole of the message and sends the message 120 
to the client (step 520). A certificate of the payment serv- 
er the management server has obtained from the certif- 
cate authority is encbsed in an invoke and sent In the 
fomrt of a message 140. 

In step 320, the client 1 takes the publk: key of the 
ordering management sender from the sent certifksate 
and verifies the valkiity of the digital signature on the 
message 1 20. If valti. an klentifier indk^tive of the own- 
er of the publk: key included in the sent certificate is dis- 
played, thereby alk>wing a consumer to select the coin- 
cidence or non-cdnckience with a partner with whom 
the consumer transacts. If coincklence Is selected, the 
authentification of the ordering management sen/er is 
proven to be successful and the program proceeds to 
the next step. If non-coincidence Is selected, the 
processing ends. 

^ Then, the client 1 transmits ordering data in the for.m~*\ 
of a message 1 30 to the ordering management server J 
(step 330). The client now digitally signs the ordering / 
request message including the ordering data. A certifi- / 
cate of the client is als o trarfsmttted along with or- j 
d erffig data through the medium of this message . J 
An example of an ordering data screen displayed 
^^■^ the display unit of the client 1 is shown in Fig. 14. 
When the ordering management server 2 receives the 
message 130 (step 530), the ordering data is stored in 
the storage unit 21 (step 540) and invoicedataSI Is pre- 
pared (step 550). An identifier for identificatk>n of the 
client is inserted in the invoice data 51. The klentifier is 
Mentbal to payer ID In Fig. 6. An identifier of the owner 
of the publb key included in the certificate of the client 
is used as the payer ID. In place of the aforementbned 
klentifier, the publk: key included in the certificate may 
be used. The ordering management sender digitally 
signs the invotee data. 

The management server 2 transmits to the client 1 
the message 140, that is, a paynnent request message 
ricluding the invok:e data affixed with signature (step 
560). 

An invoice data screen 72 displayed on the display 
unit of the client 1 is shown in Fig. 1 5. When the payment 
request message 140 is received, the screen 72 may 
preferably be displayed. 

When r ceiving the message 140 (step 340), the 
client 1 verifies the validity of the digital signature on the 
inv ice. Th invob is display din compliance with the 
requirement by the consumer (the owner of the cli nt). 
For xample, when the price is low, no display is effect- 
ed. If the digital signature is valid, the program proceeds 
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to the next step but if invalid, an error is displayed, stop- 
ping the processing (A). 

The client 1 transmits a money r c ption request 
message 150 including the inv Ice data 51 and affixed 
with the digital signature 52 of the client to the payment 
server (step 350). At that time, the certificate for authen- 
tification of the client is concurrently sent. The payment 
server receiving the message 150 in step 710 verifies 
the validity of the digital signatures on the aforenr)en- 
tioned message affixed by the ordering management 
server and affixed by the client. What is meant by veri- 
fication of the validity of the digital signature by the or- 
dering management server is to verify whether the dig- 
ital signature of the ordering management server Is af- 
fixed in order to check if the transmission contents is 
acceptable to the payment server For example, when 
public keys of acceptable ordering nnanagement servers 
are stored in storage units erf a plurality of ordering man- 
agement servers, respectively, and the digital signature 
is verified by any one of the publk: keys, It can be decid- 
ed whether the invoice sent from the client is transmitted 
from an ordering management sender which \s accept- 
able to the payment server. On the other hand, for ver- 
rfk:ation of the signature of the client, it is first checked 
whether the payer ID included in the invoice ooirK^ides 
with the kientifier of the owner of the public key included 
in the sent certifcate of the client. If coinckient. the va- 
ikiity of the client digital signature on the message 150 
is verified by the publk: key included in the certificate. If 
the digital signature is valkJ. it can be confirmed that the 
partner to whk:h the ordering managemenft sen/er has 
issued the invoice is identical with the transmitter of the 
message 150. 

If the digital signatures of the ordering nrtanagement 
server ar>d the client are valkl, a nnoney reception re- 
sponse message including data indcative of payment 
permission is prepared. The payment server digitally 
signs the message. 

The payment server sends the money receptkxi 
message 160 to the client (step 740). 

The client verifies whether the digital signature of 
the received message 160 (step 360) has been signed 
by the payment server which is about to pay the money. 
Since the client has received the public key of the pay- 
ment server from the ordering management server 
through the medium of the message 140, it verifies the 
validity of the digital signature by the public key If the 
digital signature is valid, it is certified that the message 
160 is from the payment sender designated by the or- 
dering management server, indicating that the authen- 
tifk:atk)n of the payment server is successful. If the au- 
th6ntificatk)n succeeds (step 370), the program pro- 
ceeds to th next step. But if unsuccessful, a failure of 
the auth ntification is displayed and the processing 
ends (A). 

The client sends electronic money data 170 to the 
payment server (step 380). 

When one or more going and returning is needed 



b tw en the client and the payment server for the sake 
f sending the el ctronic money, the payment server 3 
sends electronc money data to the client throu^ the 
medium of a message 180. The messages 170 and 180 

5 are transmitted by a frequency whch is necessary for 
transmission of the electronic money data. When a final 
electronk: money receptkxi notk:e is sent throu^ the 
medium of the message 160, a receipt may be sent to 
thereby omit messages 190 and 200. When the final 

10 electronc money data is sent through the medium of the 
message 1 70 (that is. the message from the client to the 
server), only a receipt is sent throu^ the nnedium of the 
message 160. The payment server digitally si^is the re- 
ceipt. 

IS The client receiving the receipt in step 410 verifies 
the validity of the digital signature on the receipt by the 
public key of the payment server If valkl, the program 
proceeds to the next step but if invalid, an en'or is dis- 
played to end the processing. Thereafter, the client 
transmits a copy of the receipt in the form of a nrtessage 
210 to the ordering management server, thus informing 
the senrer that the payment is finished (step 420). 

A receipt data screen 73 to be displayed on the dis- 
play unit of the client 1 is shown in Fig. 16. When the 
receipt response message 200 Is received, the screen 
73 may preferably be displayed. 

The ordering management server verifies the valkJ- 
(ty of the digital si^ture on the receipt by the publk: 
key of the payment server (step 580). The publk: key 
used at that time is the public key included in the certif- 
icate which is included in the rivoice when the invoice 
is pr^ared. Through this, it can be confirmed whether 
the payment is nr^de to the paynnent sender the ordering 
management server has designated. 

If the result of the foregoing processing is valid, the 
ordering management sender 2 transmits to the client a 
message 190 including data indicative of the completion 
of transactk)n but if invald, it transmits to the client an 
error message 220 indicating that the receipt Is not au- 
thorized (step 670). 

When the client 1 receives the ordering response 
message 220 from the ordering management sender 2 
(step 430), the purchase process ends. 

Through the above processing, safe transactions 
can be effected when the client 1 . the ordering manage- 
ment server 2 and the electronc money payment server 
3 are each connected to the computer network 4. The 
invoce data 51 and receipt data 53 can be used as ev- 
idences proving the contents of transactions and the 
payment connpletnn state in the event that any troubles 
in transactcns are raised later on. Further, by the afore- 
mentk)ned step 720, any unauthorized access to the 
electronc nrioney payment server 3 can be prevent d. 

In the foregoing embodiment, the digital signature 
affixed by the ord ringmanag ment server on the mes- 
sage 120 can be omitted. In this case, the process in 
which the client authenticates the ordering management 
s rvercanb unneeded. 
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Th digital signature affixed by th client on the 
message 130 can b cxnitted. In this case, the payer ID 
of the invoice can be unneeded and the process of the 
digital signature f the client can be unneeded in the 
payment server. 

(b) Repayment (repayment process) 

Flow messages, repayment permit , data (also 
called repayment permission data) 81 and repayment 
receipt 83 is shown in a flowchart dt Fig. 17. Messages 
1110 to 1220 are each transmitted and received be- 
tween the information processors. The repayment per- 
mit data 81 is described with 'M' which Indicates that 
the repayment permit data 81 is digitally signed by the 
ordering management sen/er 2. A refund remittance re- 
quest message 1 1 50 Is described with a digital signature 
82 affixed by the client 1. The repayment receipt 83 is 
described with "C which indicates that the repayment 
receipt 83 is digitally signed by the client 1 . 

Fig. 1 8 shows a data structure of the repayment per- 
mit data 81 and Fig. 19 shows a data structure of the 
repayment receipt 83. Data items Illustrated In the fig- 
ures are mere examples and c^er data items may be 
used. A digital si^ature 85 Is obtained by encrypting a 
Hash value of data block 84 by a private key owned by 
the ordering management server 2. A digital signature 
88 is obtained by encrypting a Hash value of data bkx:k 
87 by a private key owned by the client 1 . 

The processing procedure by the client 1 is shown 
in a flow chart of Fig. 20, the processing procedure by 
the ordering managennent server 2 Is shown in flow 
charts of Figs. 21 and 22 and the processing procedure 
by the electronk: money payment server 3 is shown in 
a flow chart of Fig. 23. 

Referring now to Figs. 17. 20. 21, 22 and 23. the 
processing procedure of the repayment process will be 
described. 

When data necessary to make a repayment in the 
client 1 1s inputted using the input unit 15 (step 1310). a 
repayment request message 1110 to be described be- 
k)w is transmitted to the ordering management sender 2 
(step 1320). Fig. 24 shows a screen 91 for repayment 
request which is displayed on the display unit 14 of the 
client 1 . 

When the client digitally signs an ordering request 
message during purchase, the client also digitally signs 
the repayment request message 1110 . This process is 
necessary to certify that the purchaser ooirrcides with 
the repayment requester. In order for the management 
server (step 1 51 0) to verify the valkiity of the digital sig- 
nature on the message 1110 (step 1520), the manage- 
ment server uses the same pubtc key as that of the cli- 
ent used during purchase. This permits auth ntification 
of an authorized r payer 

When the client has not signed an ordering request 
messag during purchase, the client need not digitally 
sign the message 1110 because the identity of the pur- 



chaser to the repayment request rcannotbev rifled by 
the digital signature. In this case, the validity of the r - 
payment requ ster can be vertfi d by the transmission 
Ota receipt during purchase through the medium of the 
5 message 1110. 

When the ordering management server 2 receives 
the aforementkjned message 1110 (step 1510), it is 
checked whether transaction ID designated by the mes- 
sage is repayable. If repayable, the ordering data 61 in 

10 the storage unit 21 is Ufxiated to 'during repayment' 
(step 1550). the repayment permit data 81 is prepared 
(step 1560) and a repayment response message 1140 
including the repayment permit data 81 is transmitted to 
the client 1 (step 1570). 

IS Like the message 1 40 in the purchase process, the 
message 1140 is digitally signed by the ordering man- 
agement sen/er. 

Fig. 25 shows a screen 92 of the repayment permit 
data displayed on the display unit 1 4 of the client 1 . The 

20 screen 92 may be displayed when the repayment re- 
sponse message 1140 is received. 

When the client 1 receives the response message 
1140 (step 1330), a refund remittance request message 
1150 Including the repayment permit data 81 included 

2S in the response message 1 1 40 Is affixed with the digital 
signature 82 encrypted by the private key owned by the 
client 1 and is transmitted to the electronic money pay- 
ment senrer 3 (step 1340). 

However, when no digital signature is affixed on the 

30 message 1 1 1 0, the digital signature can be omitted be- 
cause the valkjfty of the digital signature cannot be ver- 
ified. 

When the electronc nrwney payment server 3 re- 
ceives the request message 1150 (step 1740), it is 
3S checked by using the repayment permit data 81 and the 
digital signature 82 whether the transaction is repayable 
(step 1750). 

^ When the digital signature of the client is verified, it 
checked that an owner ktontlfier of the-publto key In- 

4 ) eluded in the certificate whteh is transmitted together 
with the present message by the client colrKktos with 
repayment recipient ID included in the payment permit. 
If colncrient. the valkiity of the digital signature which Is 
affixed to the present message by the client by means 

4 * of the public key included in the certificate is verified. If 
validi fitep 1760). authentificatkan of the client is I sTJg^ 
ce ssful. In other words^ It is certified thff t iHa pAfsgp m-. 
•Cgiving repayment permission coinckies the person 

/ transmittin g the present message . ^ 

sc. . Even vvhen the digital signature is not used in the 

message 1110, a digital signature may be affixed if the 
payment server desires to leave a record as to to whom 
the repayment is made, for the purpose of specifying an 
unauthorized repayment requ ster. 

ss More specifically, in a checking method in this case, 
it is first checked by using the public key of the ordering 
management sen/er whether th aforementioned re- 
payment penmit data 81 is digitally signed by the rd r- 
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ing managoment server 2. T he payment server ma y 
store, in advance, the public key f the managemen t 
-gfirver in t he storage unit 33 or may transmit the cerc lf- 
icatfof tKeordering manapement server together wrth 
the payment certificate data 81 . The certificate include s 
data f or identifvinQ the order ma ngyflmant sfln/nr and 
Ihd public key Further, the certificate is digitally signed 
By ine certilicate authority. When the client has digitally 
signed data including the payment permit data 81 trans- 
mittedf rom the client, it is checked whether the payment 
recipient coincides with the person who has affixed the 
digital signature 62. in t^^jg Hatn irigptifyini^thft 
r ^ayment recipient is included in the repayment perm it 

data 81 ar r* thi« ^^^pUfyin^ Ha»o anH oft rtntn tqf [fton. 

tifying the owne r »fthft public (^a y included in the certif - 
j ^te maybe used. Fi rstly, it is checked whether the data 
for identifying the owner of the public key included in the 
certificate transmitted together with the digitally signed 
repayment permit data 81 coinckies with the data for 
identifying the payment recipient included in the repay- 
ment permit data 81 . Further, by verifying the validity of 
the digital signature by the public key included h the 
certifica tg. it is decided whether an authorized repay- 
ment recipient makes a request to the payment sender 
for repayment. In an attemative, when communicatkxi 
data is encrypted (in other words, when the communi- 
catkin path is encrypted), the payment permit data 81 
will not be usurped and therefore, the step for the client 
to sign the repayment permit data 81 and the step for 
the paymentservertoverify the validity ofthe repayment 
recipient can be omitted. When the result of the step 
1 750 is vaiki (step 1760). a refund remittance response 
message 1160 irtcluding data indicative of payment per- 
mission is transmitted to the client 1 (step 1770). 

TTie necessity for affixture of the digital signature of 
the payment sender to the message 1160 is snriall be- 
cause the client receives the money and so the neces- 
sity for authentification of the payment server in this 
case is snnaller than h the case where the money is sent 
to the payment sender. 

When the result of step 1750 is invalid (step 1760), 
a refund remittance response message 1160 including 
data indicative of impemilssible repayment is transmit- 
ted to the client 1 (step 1850). When the client 1 receives 
the response message 1160 (step 1350) and the mes- 
sage 1160 includes the data indk^ative of impermissible 
repayment (step 1360), a message 1170 indicative of 
electronk: money remittance request is transmitted to 
the electronk: money payment server 3 (step 1370). 
When in step 1 360 the message 1 160 includes the data 
indkative of impermissible repayment, the processing 
ends. 

When rec iving the m ssage 1170 (step 1760), the 
electron b nrxKiey paym nt s rver 3 remits electronic 
money 1180 to the client 1 (step 1790). The transmis- 
sbn of the mossag s 1170 and 1180 may be effected 
plural times. When r ceivlngthe lectronicnrKHiey 1180 
(St p 1380), the client 1 prepares repayment receipt da- 



ta 83 (step 1390) and transmits a r paym nt receipt 
transmission message 1190 including the rec ipt data 
83 and digitally signed by the client to the electrons 
money payment server 3 (st p 1400). 
5 In the case of the authorized requester, this is necessary 
for certifying that the repayment is completed and in the 
case of the unauthorized requester, this is necessary for 
specifying the criminal later on. 

When the electronc money payment sewer 3 re- 

10 ceives the message 1 1 90 (step 1 800), the payment data 
63 stored in the storage unit 33 is updated to 'repayment 
completkxi' (step 1810) and a repayment receipt re- 
sponse message 1 200 is transmitted to the client 1 (step 
1820). When the client 1 receives the response mes- 

IS sage 1200 (step 1410), the processing ends. 

The ordering management server 2 transmits a re- 
payment completk>n inquiry message 1210 to the elec- 
tronic money payment server 3 (step 1610). When re- 
ceiving the inquiry message 1210 (step 1830). the elec- 

20 tronic money payment sender 3 transmits a repayment 
state response message 1220 including the repayment 
completkxi state to the ordering management server 2 
(step 1840). If the repayment has already been finished 
at that time, a completton response Is transmitted. The 

2S repayment receipt 83 received from the client 1 may be 
transmitted throu£|h the medium of-the response nies- 
sage 1220. When the ordering management sender 2 
receives the response message 1220 (step 1620). the 
ordering data 61 stored in the storage unit 21 is updated 

30 to 'repayment completbn" (step 1630) and the process- 
ing ends. Instead of the fact that the ordering manage- 
ment senrer inquires the payment server about the re- 
paynrient oompletk)n state, the payment sender may in- 
forms the ordering management server of the repay- 

3S rnent completion when it receives the repayment receipt 
from the client. 

Through the above processing, the repayment can 
be made safely by using the electronic nrxxiey when the 
client 1 , the ordering mar^gement sender 2 and the elec- 

40 tronto money payment server 3 are each connected to 
the computer network 4. The repayment permit data 81 
and repayment recent data 83 can be used as evkienc- 
es proving the contents of repayment and the repay- 
ment completion state in the event that any troubles In 

45 the repayment are raised later on. Further, by the step 
1750. any unauthorized access to the electronk: money 
payment server 3 can be prevented and unauthorized 
receipt of the refund by other persons can be prevented. 
Programs for execution of the processing shown in 

so Fig. 8 or 20 may be stored in a portable memory nrwdium 
such as a floppy disc and the medium may be written to 
the storage unit 1 3 of the client 1 to execute the process- 
ing. The same holds true for the ordering management 
server 2 and the electronic money payment sender 3. 

ss inth foregoing embodim nts. some alteratbns are 
possible. For example, the message 110 may be trans- 
mitted to th certifk:at authority to obtain a certificate, 
the digital signature of the client on the messag 1110 
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may be omitted, the paired messages 1120 and 1130 
may be omitted, the digital stgnatur of the client on the 
message 1 1 50 may be omitted, and the messag s 1 21 0 
and 1220 may be omitted because confimnation by a dif- 
ferent means, for example, confirmation by mail may be 
employed. When the payment server receives the re- 
payment receipt from the client without using the mes- 
sage 1210. the message 1220 may be transmitted. 



Claims 

1 . A shopping system having a plurality of information 
processors to communicate shopping data anrx)ng 
them, conrtprising: 

a first information processor (1) adapted to 
transmit ordering data in accordance with an or- 
der and having a first storage unit (1 3) for stor- 
ing an address to which the ordering data is to 
be transmitted and a second storage unit (11) 
for storing electronic nDoney; 
a second information processor (2) connected 
to said first information processor (1 ) through a 
network (4) and being responsive to said order- 
ing data to issue a payment address corre-^ 
spending to the order and invoice data (51 ) ob- 
tained by digitally signing an invoice, said first 
information processor being operative to re- 
spond to said invoice data to transmit an 
amount of electronic mdiey corresponding to 
said order to said payment address; and 
a third information processor (3) connected to 
said first and second information processors 
through said network and being responsive to 
reception of said amount of electronic money 
to issue a receipt (53) digitally signed by a pri- 
vate key, said first infonmation processor being 
operative totransmit to eaki second informatk)n 
processor said digitally signed receipt received 
from said third information processor 

2. A shopping system according to claim 1 . wherein 
said first information processor digitally signs said 
invoice data digitally sigried by said second infor- 
mation processor to transmit it to said third informa- 
tion processor, and said third infonmation processor 
checks two signatures on said received invoice data 
of which one is affixed by said secor>d information 
processor and the other is affixed by said first infor- 
mation processor. 

3. Ashoppingsystemaccordingtoclaimi or2, wher - 
in said second infonmation processor checks 
whether the ignature on said receipt rec ivedfrom 
said first information processor coincides with said 
payment address affixed to said invoice data. 



4. A shopping system according to claim 1 , 2 or 3, 
wherein said first information processor transmits a 
request for repaying the electronic money transmit- 
ted to said third information processor in accord- 

s ance with the order to said second information proc- 
essor, said second information processor transmits 
repayment permit data including data for specifying 
a repaying apparatus, an amount of refund arid data 
for specifying a refund receiving apparatus after 

10 digitally signing the repayment permit data by a pri- 
vate key, and said first informatkxi processor re- 
sponds to the electronic money remitted in accord- 
ance with sakJ repayment request to transmit to said 
third information processor the repayment receipt 

IS digitally signed on data including kjentificatk)n of 
said repayment pemnrt data by the private key 

5. A shopping system according to claim 4, wherein 
sakl second infonmation processor uses identifica- 

20 Won data included in certificate data digitally signed 
by a certificate authority, in order to specify said first 
infonmatk>n processor or a user thereof. 

6. A shopping system according to clavn 4, wherein 
25 said second informatbn processor uses the private 

key used for specifying said first informatbn proc- 
essor during ordering, in order to specify saki first 
infomnatkxi processor or a user thereof. 

30 7, fii shopping system according to claffn 4, wherein 
sakJ first informatkyi processor digitally signs saki 
repayment request transmitted to sakJ second infor- 
matkxi processor apparatus. 

^ 8. A shapping system according to claim 4, wherein 
sakl first informatkxi processor digitally signs and 
sends saki repayment permit data digitally signed 
by saki second informatkxi processor to sad third 
informatkxi processor, and wherein saki third infor- 

40 matkxi processor checks whether a receiver noted 
in said repayment permit data colnckies with a 
sender of saki repayment permit data to saki third 
information processor 

45 9. A shopping system according to claim 8, wherein 
said third information processor uses klentification 
data included in certificate data regarding said first 
infonmation processor or a user thereof to kientify 
saki receiver noted in said repayment permit data. 
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10. An informatkxi processor connected to a shopping 
system for communicating shopping data, compris- 
ing: 

a controller (15, 16) for transmitting ordering 
data in accordance with an order; 
a first storage unit (13) for storing an address 
to whkti the ordering data is to b transmitted; 
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and 

a second storage unit (11) for storing electronic 
money, 

wherein said controller responds to a payment 
address issued in accordance with said order- s 
ing data and corresponding to said order and 
invoice data (51) obtained by digitally signing 
an invoice to transmit an amount of electronic 
money con'esponding to said order to said pay- 
ment address and transmits a copy of a receipt io 
(51) issued in accordance with said amount of 
electronic nrioney and digitally signed by a pri- 
vate key. 

11. An information processing apparatus according to 
claim 10, wherein a request for repaying the elec- 
tronic money transmitted corresponding to the or- 
der is transmitted, and a repaynnent receipt ob- 
tained by digitally signing repayment permit data by 

a private key is transmitted h accordance with the 20 
electronic money remitted in accorctemce with sakj 
repaynr^ent request. 

12. An information processor connected to a shopping 
system for communfcating shopping data, compris- 2S 
ing: '= ^ 

a control unit (25) responsive to received order- 
ing data to issue a payment address corre- 
sponding to the order and invoice data (51 ) ob- 30 
tained by digitally signing an invoice; and 
a communication unit (22) for receiving a re- 
ceipt, 

wherein said control unit checks whether a sig- 
nature on the received receipt coinckies with 3S 
the payment address affixed to said invoce da- 
ta 

13. An infomnatk>n processor according to claim 12, 
wherein said control unit digitally signs repayment 40 
permit data including data for specifying a repaying 
apparatus, an amount of refund and a refund receiv- 
ing apparatus by a private key and transmits said 
repayment permit data. 

45 

14. An information processor connected to a shopping 
system for communk^ting shopping data, compris- 
ing: 

a control unit (96) responsive to receptbn of an so 
amount of electronic money corresponding to 
an order to issue a receipt (53) digitally signed 
by a private key; and 

a communication unit (32) f r communicating 
invoic data and receipt data, 
wherein said control unit checks the signature 
on the received invoice data. 



15. A method of communk^ating shopping data among 
a plurality of informatkxi processors in a shopping 
system having the plurality of infonmation proces- 
sors, comprising the steps of: 

transmitting ordering data from a first informa- 
tkHi processor (1); 

responding to sa\6 ordering data to issue a pay- 
ment ^ress corresponding to the order and 
invoice data (51) obtained by digitally signing 
an invoice from a second infonmation processor 
(2): 

responding to said invok:6 data to transmit an 
amount of electronic money corresponding to 
sakJ order from said first infonmatk>n processor 
to saki payment address; 
responding to receptkxi of said amount of elec- 
tronk: money to issue a receipt (53) digitally 
siting by a private key from a third informatkxi 
processor (3); and 

transmitting saM digitally signed receipt re- 
ceived from said third infomnation processor 
from said first information processor to sakl 
second infonmation processor. 

16. A shopping method according to claim 15, whereh 
said first information processor digitally signs sad 
invoice data digitally si^ed by sakl second infor- 
matbn processor to transmit it to said third infonna- 
tion processor, and sakJ third infonmatk>n processor 
checks two signatures on said received ffivoicedata 
of whbh one is affixed by saki second informatbn 
processor and the other is affixed by said first infor- 
matbn processor. 

17. A shopping method according to claim 15 or 16. 
wherein sakl second infonmatkxi processor checks 
whether the signature on said receipt received from 
said first infonmation processor coinckJes with sakJ 
payment address affixed to saM Invobe data. 

1& A shopping method according to claim 15 or 16, 
wherein said first infonmatbn processor transmits 
to sakl second informatbn processor a request for 
repaying the electronic money transmitted to sab 
third information processor in accordance with the 
order, said sscorxj infonmation processor transmits 
repayment penmit data including data for specifying 
a repaying apparatus, an amount of refund and data 
for specifying a refund receiving apparatus after 
digitally signing the repayment penmit data by a pri- 
vate key, and said first infonmatbn processor re- 
sponds to the lectronic money remitt dinaccord- 
ar>c with said r payment request to transmit a re- 
paynnent receipt obtained by digitally signing data 
including bentificatbn of said repayment permit da- 
ta by a privat key from said second infonmatbn 
processor to said third infonmation processor. 



10 



19 



EP 0 848 343 A2 



19. A shopping method according to claim 18, wher in 
said second infomnation processor uses id ntifica- 
tion data included in certificate data digitally signed 
by a certificate authority, in ord r to specify said first 
information processor or a user thereof. s 
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